Re: How does Artifact Registry's vulnerability sca...

Elkasitu

Artifact Registry's vulnerability scanner only works with a given set of supported base OS [1], however when trying an image with a supposedly supported base OS, the scanner shows the following error "Failed to identify known supported OS in image". The image in question is based on ubi9 [2] which is functionally the same as RHEL 9 and even the `/etc/os-release` is the same as the rhel9 [3] version of the image.

So how can I know whether my base image will actually be supported?

[1] https://cloud.google.com/artifact-analysis/docs/container-scanning-overview#os

[2] https://catalog.redhat.com/software/containers/ubi9/python-311/63f764b03f0b02a2e2d63fff?architecture...

[3] https://catalog.redhat.com/software/containers/rhel9/python-311/63f764969b0ca19f84f7e7c0?architectur...

juliadeanne

Hello @Elkasitu,

Welcome to the Google Cloud Community!

According to the document you provided, it mentions that on-demand scanning doesn't support RHEL version 9.

The problem you're facing may be because the vulnerability scanner you're using doesn't support RHEL Version 9 (and UBI 9, which is based on RHEL 9) for on-demand scanning. This means the scanner isn't able to properly analyze your UBI 9-based image.

Since this tool doesn't currently support RHEL 9 and UBI 9 for on-demand scanning, you might want to explore other vulnerability scanners that do support RHEL 9.

Elkasitu

Thanks for the answer @juliadeanne but we didn't use on-demand scanning in this instance. We simply built a new image based on the ubi9/python-311 image and pushed it to our registry which has automatic scanning enabled and here's the result:

Any idea as to what might be the problem or guidance on which specific images are supported? These are Red Hat official images so it's surprising that they are not supported...

How does Artifact Registry's vulnerability scanner detect an image's base OS?